possibly hacked
M A Young
m.a.young at durham.ac.uk
Thu Nov 16 17:34:06 UTC 2006
On Thu, 16 Nov 2006 olga at urbantimes.net wrote:
> Here's what I get when I issued: netstat -nap
>
> tcp 0 0 131.x.x.x:38423 72.x.x.x:80 ESTABLISHED 5226/ps x
> tcp 0 0 131.x.x.x:38420 72.x.x.x:80 ESTABLISHED 5365/ps x
>
> About a hundred instances of that program 'ps x' running.
>
> Also here's what ps -ef produced:
>
> apache 6323 1 0 10:30 ? 00:00:00 ps x
> apache 6324 1 0 10:30 ? 00:00:00 ps x
> apache 6326 1 0 10:30 ? 00:00:00 ps x
> apache 6328 1 0 10:30 ? 00:00:00 ps x
> apache 6330 1 0 10:30 ? 00:00:00 ps x
The processes are owned by apache, so the chances are that there is a
security hole in the version of apache/httpd that you are using, or
perhaps more likely there are exploitable web pages somewhere on your
server (maybe a bulletin board like phpbb, or phpmyadmin).
I see that these things are talking to port 80, ie. probably a web server
on the remote site, so it could be getting commands from there or
attempting to spread further.
Your web logs may be able to tell you more.
Michael Young
More information about the fedora-list
mailing list